top of page
  • CCS

Audit Risk

Audit risk is the risk of expressing an inappropriate audit opinion on financial statements that are materially misstated.

The objective of the audit is to reduce this audit risk to an acceptably low level.



Audit risk has two key elements, as illustrated below.


To reduce audit risk to an acceptably low level, the auditor is required to:

  • Assess the risks of material misstatement; and

  • Limit detection risk. This may be achieved by performing procedures that respond to the assessed risks of material misstatement, both at the financial statement level and at the assertion level, for classes of transactions, account balances, and disclosures.


  • 评估重大错报的风险;以及

  • 限制检查风险。这可以通过执行程序来实现,以应对在财务报表层面和认定层面上对交易类别、账户余额和披露的重大错报风险的评估。

Audit Risk Components | 审计风险成分

Inherent Risk

Description: The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

Commentary: This includes events or conditions (internal or external) that could result in a misstatement (error or fraud) in the financial statements.

The sources of risk (often categorised as business or fraud risks) can arise from the entity’s objectives, the nature of its operations/industry, the regulatory environment in which it operates, and its size and complexity


描述: 在考虑任何相关的控制措施之前,关于某类交易、账户余额或披露的断言对错报的易感性,无论是单独还是与其他错报相加,都可能是重大的。

评注: 这包括可能导致财务报表出现错报(错误或欺诈)的事件或条件(内部或外部)。


Control Risk

Description: The risk that a misstatement that could occur in an assertion about a class of transaction, account balance, or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.

Commentary: Management designs controls to mitigate a specified inherent (business or fraud) risk factor. An entity assesses its risks (risk assessment) and then designs and implements appropriate controls to reduce its risk exposure to a tolerable (acceptable) level.

Controls may be:

  • Pervasive in nature, such as management’s attitude toward control, commitment to hiring competent people, and prevention of fraud. These controls are assessed at the financial statement level; and

  • Specific to the initiation, processing, or recording of a particular transaction. These are often called business process, activity-level, or transaction controls.


描述: 在关于某类交易、账户余额或披露的认定 (Assertion) 中可能发生的错报,以及可能是重大的错报,无论是单独的还是与其他错报合计的,都不能被实体的内部控制所防止,或不能及时发现和纠正的风险。

评注: 管理层设计控制以减轻特定的内在(业务或欺诈)风险因素。



  • 具有普遍性,如管理层对控制的态度,对雇用合格人员的承诺,以及对欺诈的预防。这些控制是在财务报表层面上进行评估的;以及

  • 具体到某项交易的启动、处理或记录。这些通常被称为业务流程、活动层面或交易控制。

Detection Risk

Description: The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.

Commentary: The auditor assesses the risks of material misstatement (inherent and control risk) at the financial statement and assertion levels.

Audit procedures are then developed to reduce audit risk to an acceptably low level.

This includes consideration of the potential risk of:

  • Selecting an inappropriate audit procedure;

  • Misapplying an appropriate audit procedure; or

  • Misinterpreting the results from an audit procedure.





  • 选择一个不适当的审计程序。

  • 误用适当的审计程序;或

  • 误解审计程序的结果。

Note: The ISAs define the risk of material misstatement at the assertion level as consisting of two components: inherent risk and control risk.

Consequently, the ISAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the “risks of material misstatement.”

However, the auditor may make separate or combined assessments of inherent and control risk, depending on preferred audit techniques or methodologies and practical considerations.

注:《国际审计准则》将认定层面的重大错报风险(risk of material misstatement, ROMM) 定义为由两部分组成:固有风险和控制风险。

因此,《国际审计准则》通常不单独提及固有风险和控制风险,而是提及对 "重大错报风险 "的综合评估。然而,审计师可以对固有风险和控制风险进行单独或合并评估,这取决于首选的审计技术或方法以及实际考虑。


Separate business and fraud risks

Many inherent risks can result in both business and fraud risks. For example, a new accounting system may create potential for errors (business risk), but may also provide an opportunity for someone to manipulate financial results or misappropriate funds (fraud risk).

So when a business risk is identified always consider whether